Meet the Bloggers Twitter BTSecureThinking YouTube Channel Blogroll About BT Looking for more?
BTSecureThinking Resources center

SecureThinking > Tags

Posts tagged - Tom Le

Friday, October 15, 2010

Policy Enforcement is Everyone’s Business

By Tom Le, Director of Research & Development, BT Managed Security Solutions Group

In honor of National Cyber Security Awareness Month, we are continuing our series of posts on what businesses can do to foster a culture of cyber security awareness and preparedness with Tom Le’s thoughts on enforcing network security policies …

Protecting the network is one of the toughest challenges for IT departments, especially when it comes to enforcing network security policies.  While implementation of security controls to restrict access to only that which is allowed is always desirable, that goal is difficult to obtain due to the challenge of accommodating all the connectivity needs for a constantly changing number of internal users, contractors, partners, device platforms, and applications. 

The key to understanding the benefits of policy enforcement begins by recognizing the risks of insider attacks.  The Verizon 2010 Data Breach Investigations Report found that the number of insider breaches is increasing, with malicious insiders involved in 48 percent of cases, an increase of 26 percent over 2009.  Further, of all data breaches in 2010, organized criminal groups were responsible for 85 percent of all stolen data.  In other words, the potential financial impact to an organization resulting from a data breach is significantly magnified when the potential attackers are both sophisticated and capable of converting stolen data into currency.

In contrast to simple external access rules, internal access controls are often limited to data access, e.g., defining user, group, file, database permissions, etc.  The big limitation with these controls is that they often focus only on employee malfeasance, such as when a trusted user behaves improperly.  These policies are inadequate in dealing with stolen credentials, which is the most common cause of insider attacks as confirmed by both the Verizon report and the dataset provided by the U.S. Secret Service.

Knowing that the most common type of insider attack masquerades as a trusted user could completely reshape an IT organization’s approach to enforcing policy.  For example, all of the controls in place to protect payroll records may not make a difference if an HR employee’s workstation is compromised, or if a networking device allows for eavesdropping on unencrypted traffic.  To implement effective policy enforcement, the enforcement strategy must encompass the entire IT estate — from critical IT infrastructure down to the user endpoints.

Compared with point solutions such as NAC, event monitoring enables a more flexible approach to enforcing policy when combined with human process.  For example, event monitoring can easily alert on such misuse as instant messenger, IRC, peer-to-peer or other prohibited applications.  While the usage of such applications by itself is not a direct attack, this activity expands the potential attack vector.  A notification from IT to users in violation of such network security policies increases user awareness and reduces the likelihood of continued misuse.  The most egregious violations can be investigated as part of an organization’s incident handling process.  In other words, every user in the entire organization down to the end user is now accountable for policy enforcement.

Monitoring in combination with effective IPS policies can also mitigate the risks with inadequate patching.  In many cases, only critical assets or those under regulatory compliance are strictly maintained.  While less critical assets may pose minimal risk in the event of a system breach, they can be a launching point for other attacks, including the theft of user credentials.  Monitoring can help assess the risk of leaving systems un-patched and detect attempted exploits against known vulnerabilities.

Finally, monitoring helps identify anomalous activity that may be difficult to enforce with access control technologies.  For example, a user performing a dictionary-based authentication attack may never be blocked by access control technology; it is also only effective within the corporate network.  Should an endpoint be compromised outside of the network, upon its reintroduction into the network, it may exhibit behavior such as reconnaissance activity that would only be detected with monitoring.

In summary, with the increasing risks associated with attacks originating from inside the network combined with the growth of mobile users and diverse endpoints, effective policy enforcement needs to encompass the entire IT estate.  While traditional policy enforcement approaches focus on network access controls, the use of event monitoring can be a cost-effective and more flexible method of not only enforcing policy, but also raising awareness and accountability to every user throughout the organization.

Posted at 2:56 PM in SecureAlert | No Comments »
Tags: , , , , , , , ,

Bookmark and Share

Wednesday, July 14, 2010

Kraken is Baaaaaaaack

By Senthil Venkatachalam, Product Manager, and Tom Le, Director of Research and Development, BT Managed Security Solutions Group

Botnets, in general, are very dangerous and difficult to extinguish.  Within the past several weeks, we’ve learned the Kraken botnet has returned from the dead and is gaining strength yet again.

According to a recent Dark Reading article, the botnet—despite being dismantled last year — has recently compromised more than 318,000 systems.  That is nearly half the number reported at Kraken’s peak!

How does Kraken work?

Kraken came to the fore in 2008, after infecting hundreds of thousands of computers and causing them to send enormous numbers of spam emails.  While the authors of Kraken were arrested in 2009 and the network was disabled, the new Son-of-Kraken seems to be a variation which re-uses Kraken’s malicious code.  This code is propagated by a botnet framework – or butterfly framework – which is known for its efficiency in spreading such malware.  Some of you might remember another famous and large botnet, the Mariposa botnet, which also used the butterfly framework.

Detecting the “classic” Kraken

Botnets are difficult to prevent, and, once a network is infected, are even more difficult to detect.  If you are using anti-virus tools, Kraken is nearly impossible to detect.  AV defenses and anti-malware defenses are often disabled by bots during the original infection.  Therefore, IT professionals must gain network level detection applications.  Suspicious activities that can be used to detect a botnet include:

  • DNS lookups to certain domains
  • Traffic on unusual (typically high) port numbers
  • Connections (or attempts) to IPs in a known range
  • Network protocol violation in datagrams or sessions traversing firewall (e.g., encrypted traffic over port 80, or non-SSL over port 443)
  • Excessive outgoing emails or other activity not usually associated with business traffic

But to assume you don’t have a botnet infection because there are no visible symptoms is a mistake.  Because bots seek to avoid detection, you need to constantly check firewall and IPS logs to unearth an infection.

Preparation is key

George Hulme said in a recent InformationWeek article, “One thing is certain: current methods of bot detection and remediation are not getting the job done.”

It’s essential that companies ensure they have maximum and continuous early-warning security measures in place to protect the integrity of their assets and mitigate risks.  For BT Managed Security Solutions Group (MSSG) customers, the good news is that a botnet detection module is a standard Managed Secure Monitoring service available to all customers.

BT MSSG has had significant success in using its customers’ firewalls to detect botnets through log analysis and event correlation.  Based on a fundamental understanding of botnet behavior, the BT team reasoned that since every botnet needs to call home at some point in order to be activated, outbound messages traversing a firewall will create detectable patterns of behavior that accurately indicate botnet activity before it has the opportunity to take over your network. 

One question remains — is your company prepared for the Son-of-Kraken?

Posted at 8:54 PM in SecureAlert | 1 Comment »
Tags: , , , , , , , , ,

Bookmark and Share